Security news that informs and inspires

Software Supply Chain Security: ‘An Everybody Problem’

By

SAN FRANCISCO – As software supply chain attacks continue to spiral, the federal government’s long-term priority is focused on shifting the liability away from end users and squarely on the shoulders of manufacturers. But the path to improving the security of software all the way across the supply chain isn’t so simple.

Products are being built on “decades of technical debt,” said Dan Lorenc, CEO and co-founder of Chainguard, including code written over the past 40 years that needs to be fixed. Not only does the industry need to focus on getting secure code in place, but also on making decisions about whether code can be trusted in the first place to run in certain applications.

“This isn’t something you can just purchase software for and tack it on after,” said Lorenc during a panel session at the RSA Conference this week. “This is a development problem. We need to change the way that developers write software and if they think about this from the start. You can’t bolt it on at the end.”

Another challenge is that vulnerabilities are prevalent across all aspects of the supply chain - from attacks on software vendors, with the best known one being the SolarWinds attack, to vulnerabilities in widely used logging libraries, such as Log4j. These are two completely distinct types of attacks and sets of vulnerabilities, with very different solutions, “but they all get lumped together in this supply chain security category,” said Lorenc.

“There’s no easy answer,” he said. “There’s a bunch of different problems that need a bunch of different solutions to solve them. Supply chain security is really tough because of that. It’s about the gaps between organizations, it’s about the code I write but also how I get that to you. It’s about how your organization manages that code that they’re consuming.”

These types of attacks are lucrative for threat actors, meanwhile, because of the sheer number of potential targets one sprawling compromise can reach. The list of supply chain attacks against software suppliers continues to grow, including most recently the 3CX attack, as well as the ones against Kaseya and SolarWinds. Part of what makes these attacks so damaging is the potential sheer breadth of impact: Last week, for example, Mandiant researchers outlined how the 3CX supply chain attack was actually the result of a separate software supply chain compromise, with more victims likely in the mix.

“We need to change the way that developers write software and if they think about this from the start. You can’t bolt it on at the end.”

These attacks caught the attention of the U.S. government, which has aimed to support software supply chain security through various regulatory measures over the past year. The National Cybersecurity Strategy, released in March by the Biden administration, is one of the bolder strategies put out by the White House in shifting the onus toward manufacturers.

“The strategy really outlines how we need to look at the most atomic unit, all the way to the code, through how we distribute software and the products that it’s in,” said Camille Stewart Gloster, with the White House Office of the National Cyber Director.

Technology providers are often in a rush to get their products out to market, or to add new features, and the current standard practices and processes have not traditionally prioritized security and the long-term impact on the overall ecosystem in the process. The National Cybersecurity Strategy, and other government measures, aim to create market incentives that would instead create a secure by design model.

Biden’s 2021 Executive Order on Improving the Nation's Cybersecurity requires federal agencies to use only software that has been developed using secure development practices and instructs agencies to require certification from the vendors they work with. As part of this, by June vendors working with federal agencies must demonstrate that their products meet minimum NIST standards, for instance.

Separately, this month, CISA, the FBI, the NSA and international partners released guidance for manufacturers on building secure by design technology. Stewart Gloster stressed that the work has to begin at the training level for developers so that security is prioritized at the outset - something that is currently lacking as few developers have formal education in secure coding practices.

“What’ll you see in the National Cybersecurity Strategy, and in the implementation to come, is us trying to identify the places where we can best serve across the software ecosystem - not just open source - where we can invest and support industry, all of the other players, in that evolution towards long-term investments or secure by design,” said Stewart Gloster.

“I just want to emphasize one thing in this space: it’s not a government problem, it’s not a private sector problem, it’s an everybody problem.”

While these regulatory measures will impact a number of companies working with the public sector, they’re still only limited to federal agencies. For the private sector, inventory is a critical piece in ensuring that software is secure, and companies must know what their code is, where it is stored and where it’s coming from. However, that code is often in flux, with tweaks being made or vulnerabilities being discovered.

“The software supply chain issue is actually very easy to solve, it’s just impossible to implement,” said James Higgins, CISO of Snap, Inc. “If you can understand the inventory and landscape and understand where all your code is coming from, you’ve solved 80 percent of the problem. The other 20 percent is around the mechanics of moving that code, building and deploying it, but also understanding how that code changes and when a vulnerability is discovered or introduced, how you deal with it.”

While lots of work remains, panelists at the RSA session said they’re hopeful that the increased regulatory attention - and increased attacks occurring across the industry - will continue to drive change in how software across the supply chain is secured.

“I just want to emphasize one thing in this space: it’s not a government problem, it’s not a private sector problem, it’s an everybody problem,” said Higgins. “We keep talking about supply chain, and there’s one key word in there - chain. If you compromise any part of the chain and inject code or whatever it is, then the entire chain breaks.”